04 Nov 2010

For an online IDE security is vitally important. We hold the passwords to many websites and are a potential target for malicious hackers.

Our systems are fully patched and we have a firewall in place to prevent hackers but we have to plan for the worst case scenario. What if a hacker somehow obtained our database and source code?

If you connect without using the save password option then the password is kept in the session until you logout or the session expires.

If you have many sites typing in all the different passwords can be annoying and also hard to remember. So we've introduced a new master password feature.

You can set a master password by going to Preferences -> Security. Once the master password is set any ftp passwords that are stored will be encrypted using your password. You will then only need to enter the master password once per session to access all of your sites.

Without the master password the only way a hacker could obtain your passwords would be using an unfeasible brute force attack.

If you forget your master password - you can remove it but you will lose all of your stored FTP passwords.

This is an overview of how the master password system works:

Setting the master password

Client enters master password.

Master password is hashed with a unique salt in the clients browser

Hash is then transmitted to server

Existing FTP passwords are AES encrypted using the hash

The hash is then re-hashed and stored on the server

Accessing a site

Client enters master password

Master password is hashed with a unique salt in the clients browser

Hash is then transmitted to server

Hash is rehashed and verified against stored hash

FTP password is AES decrypted using the original hash

The hash is stored in the session until the user logs out or the session expires

You will notice that at no point is your master password directly transmitted to our server, ensuring greater security.